[x] Put an X between the brackets on this line if you have done all of the following:
Checked that your rule idea isn't already filed: search
Summary
This technique is based off a self-deletion proof-of-concept using alternate data streams where a running file can be deleted from disk. I have observed this in malware families such as LATRODECTUS and ROOK ransomware. The main behaviors are centered around:
Retrieving handle requesting DELETE access via CreateFileW
Using SetFileInformationByHandle with FileRenameInfo to rename file stream
Using SetFileInformationByHandle with FileDispositionInfo to set DeleteFile flag to true
Prerequisites
Summary
This technique is based off a self-deletion proof-of-concept using alternate data streams where a running file can be deleted from disk. I have observed this in malware families such as LATRODECTUS and ROOK ransomware. The main behaviors are centered around:
CreateFileWSetFileInformationByHandlewithFileRenameInfoto rename file streamSetFileInformationByHandlewithFileDispositionInfoto set DeleteFile flag to trueExamples
Family: LATRODECTUS SHA256: 388021747b85453adff2680c8a0e13e230f4eeada1a1055e3fb8e09800d4fb79 Offset: 0x180003A24
Family: ROOK SHA256: c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac Offset: 0x1400019C0
References